Skip to main content
close search
site logo
Dive Brief

Corporate boards expand cybersecurity risk oversight: EY

The recent study shows Fortune 100 chief information security officers are growing more closely engaged with their boards and C-suites.

Published Aug. 29, 2023
David Jones's headshot
Reporter
People sitting around a board room table
Caiaimage/Paul Bradbury via Getty Images

First published on

Cybersecurity Dive

Dive Brief:

  • With new Securities and Exchange Commission disclosure rules set to take effect in early September, a study from the EY Center for Board Matters shows director oversight of cybersecurity at Fortune 100 companies is rapidly evolving. 
  • In SEC filings, four in five companies disclosed how often management reported to the board or committees on cybersecurity, the study found. Almost half of the companies reported at least annually to the board on cybersecurity. 
  • More than three in five companies disclosed cybersecurity as an area of expertise sought by the board, up from one in five in 2018.

Dive Insight:

EY's sixth annual study is based on proxy statements and annual reports of 75 of the top Fortune 100 companies, from fiscal year 2018 through May 31.

The research shows just how much cybersecurity has evolved as a focus of board oversight in recent years, as cybersecurity risk has become a much more prevalent concern for shareholders, customers and government regulators. 

The report indicates companies are streamlining the process of disclosing cyber risk information to the board. For example, 57% of Fortune 100 companies have designated at least one person to report these issues to the board, with most designating either a CISO or CIO. In 2018 only 23% of Fortune 100 companies made such a designation. 

The final SEC rules have heightened the cybersecurity mandate for companies, requiring them to disclose within four business days of determining an incident is material. But regulators also want to know how corporate boards are keeping track of information that follows those initial disclosures. 

“The rules include guidance in the event that any required information is not determined or is unavailable at the time the Form 8-K is completed, and among other requirements, registrants now are required to identify any board committee or subcommittee that oversees cybersecurity risk,” Pat Niemann, forum leader of EY Americas Audit Committee, said via email. 

The new rules also call for companies to disclose the process used to inform these committees, Niemann said

Filed Under: Technology

Editors' picks

Company Announcements

View all | Post a press release
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell